[Sandbox] Reduce entitlements granted by default

Since App Store approval decided these suddenly matter.

Signed-off-by: Christopher Snowhill <kode54@gmail.com>
swiftingly
Christopher Snowhill 2022-06-28 22:58:57 -07:00
parent a35459719d
commit 8b7418857d
3 changed files with 3 additions and 112 deletions

View File

@ -9,14 +9,8 @@
</array> </array>
<key>com.apple.security.app-sandbox</key> <key>com.apple.security.app-sandbox</key>
<true/> <true/>
<key>com.apple.security.assets.movies.read-only</key>
<true/>
<key>com.apple.security.assets.music.read-only</key>
<true/>
<key>com.apple.security.cs.allow-jit</key> <key>com.apple.security.cs.allow-jit</key>
<true/> <true/>
<key>com.apple.security.files.downloads.read-only</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key> <key>com.apple.security.files.user-selected.read-write</key>
<true/> <true/>
<key>com.apple.security.network.client</key> <key>com.apple.security.network.client</key>

View File

@ -24,35 +24,6 @@
@property(nonatomic) NSURL *_Nullable url; @property(nonatomic) NSURL *_Nullable url;
@end @end
static NSURL *containerDirectory(void) {
NSString *path = [@"~" stringByExpandingTildeInPath];
return [NSURL fileURLWithPath:path];
}
// XXX this is only for comparison, not "escaping the sandbox"
static NSURL *pathEscape(NSString *path) {
NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
if(rangeOfMatch.location != NSNotFound)
path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
return [NSURL fileURLWithPath:path];
}
static NSURL *defaultMusicDirectory(void) {
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
return pathEscape(path);
}
static NSURL *defaultDownloadsDirectory(void) {
NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
return pathEscape(path);
}
static NSURL *defaultMoviesDirectory(void) {
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
return pathEscape(path);
}
@interface PathItem : NSObject @interface PathItem : NSObject
@property(nonatomic, strong) NSString *path; @property(nonatomic, strong) NSString *path;
@property(nonatomic) BOOL enabled; @property(nonatomic) BOOL enabled;
@ -99,12 +70,6 @@ static NSURL *defaultMoviesDirectory(void) {
if(!results || [results count] < 1) return; if(!results || [results count] < 1) return;
NSURL *defaultMusic = defaultMusicDirectory();
NSURL *defaultDownloads = defaultDownloadsDirectory();
NSURL *defaultMovies = defaultMoviesDirectory();
NSURL *container = containerDirectory();
id sandboxBrokerClass = NSClassFromString(@"SandboxBroker"); id sandboxBrokerClass = NSClassFromString(@"SandboxBroker");
NSMutableArray *items = [[NSMutableArray alloc] init]; NSMutableArray *items = [[NSMutableArray alloc] init];
@ -125,7 +90,8 @@ static NSURL *defaultMoviesDirectory(void) {
// Add other system paths to this setting // Add other system paths to this setting
NSString *fileTreePath = [[NSUserDefaults standardUserDefaults] stringForKey:@"fileTreeRootURL"]; NSString *fileTreePath = [[NSUserDefaults standardUserDefaults] stringForKey:@"fileTreeRootURL"];
if(fileTreePath && [fileTreePath length]) { if(fileTreePath && [fileTreePath length]) {
[array addObject:[NSURL URLWithString:fileTreePath]]; // Append false name to dodge the directory/fragment trimmer
[array addObject:[NSURL URLWithString:[fileTreePath stringByAppendingPathComponent:@"moo.mp3"]]];
} }
NSString *soundFontPath = [[NSUserDefaults standardUserDefaults] stringForKey:@"soundFontPath"]; NSString *soundFontPath = [[NSUserDefaults standardUserDefaults] stringForKey:@"soundFontPath"];
@ -135,14 +101,7 @@ static NSURL *defaultMoviesDirectory(void) {
for(NSURL *fileUrl in array) { for(NSURL *fileUrl in array) {
NSURL *url = [sandboxBrokerClass urlWithoutFragment:fileUrl]; NSURL *url = [sandboxBrokerClass urlWithoutFragment:fileUrl];
if([sandboxBrokerClass isPath:url aSubdirectoryOf:defaultMusic] || if([sandboxPathBehaviorController matchesPath:url])
[sandboxBrokerClass isPath:url
aSubdirectoryOf:defaultDownloads] ||
[sandboxBrokerClass isPath:url
aSubdirectoryOf:defaultMovies] ||
[sandboxBrokerClass isPath:url
aSubdirectoryOf:container] ||
[sandboxPathBehaviorController matchesPath:url])
continue; continue;
NSArray *pathComponents = [url pathComponents]; NSArray *pathComponents = [url pathComponents];

View File

@ -17,40 +17,6 @@
#import "PlaylistController.h" #import "PlaylistController.h"
static NSURL *_containerDirectory = nil;
static NSURL *_defaultMusicDirectory = nil;
static NSURL *_defaultDownloadsDirectory = nil;
static NSURL *_defaultMoviesDirectory = nil;
static NSURL *containerDirectory(void) {
NSString *path = [@"~" stringByExpandingTildeInPath];
return [NSURL fileURLWithPath:path];
}
// XXX this is only for comparison, not "escaping the sandbox"
static NSURL *pathEscape(NSString *path) {
NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
if(rangeOfMatch.location != NSNotFound)
path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
return [NSURL fileURLWithPath:path];
}
static NSURL *defaultMusicDirectory(void) {
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
return pathEscape(path);
}
static NSURL *defaultDownloadsDirectory(void) {
NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
return pathEscape(path);
}
static NSURL *defaultMoviesDirectory(void) {
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
return pathEscape(path);
}
static SandboxBroker *kSharedSandboxBroker = nil; static SandboxBroker *kSharedSandboxBroker = nil;
@interface SandboxEntry : NSObject { @interface SandboxEntry : NSObject {
@ -69,7 +35,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
@property NSInteger refCount; @property NSInteger refCount;
- (id)initWithToken:(SandboxToken *)token; - (id)initWithToken:(SandboxToken *)token;
- (id)initWithStaticURL:(NSURL *)url;
@end @end
@implementation SandboxEntry @implementation SandboxEntry
@ -84,17 +49,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
return obj; return obj;
} }
- (id)initWithStaticURL:(NSURL *)url {
SandboxEntry *obj = [super init];
if(obj) {
obj->_refCount = 1;
obj->_secureUrl = nil;
obj->_token = nil;
obj->_path = [url path];
}
return obj;
}
- (NSInteger)refCount { - (NSInteger)refCount {
return _refCount; return _refCount;
} }
@ -193,22 +147,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
- (SandboxEntry *)recursivePathTest:(NSURL *)url { - (SandboxEntry *)recursivePathTest:(NSURL *)url {
SandboxEntry *ret = nil; SandboxEntry *ret = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
_containerDirectory = containerDirectory();
_defaultMusicDirectory = defaultMusicDirectory();
_defaultDownloadsDirectory = defaultDownloadsDirectory();
_defaultMoviesDirectory = defaultMoviesDirectory();
});
NSArray *urls = @[_containerDirectory, _defaultMusicDirectory, _defaultDownloadsDirectory, _defaultMoviesDirectory];
for(NSURL *checkUrl in urls) {
if([SandboxBroker isPath:url aSubdirectoryOf:checkUrl]) {
return [[SandboxEntry alloc] initWithStaticURL:checkUrl];
}
}
NSPersistentContainer *pc = [SandboxBroker sharedPersistentContainer]; NSPersistentContainer *pc = [SandboxBroker sharedPersistentContainer];
NSSortDescriptor *sortDescriptor = [NSSortDescriptor sortDescriptorWithKey:@"path.length" ascending:NO]; NSSortDescriptor *sortDescriptor = [NSSortDescriptor sortDescriptorWithKey:@"path.length" ascending:NO];